SUSE-CU-2025:4577-1: Security update of bci/kiwi

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Fri Jun 20 13:40:43 UTC 2025 

SUSE Container Update Advisory: bci/kiwi
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:4577-1
Container Tags        : bci/kiwi:9 , bci/kiwi:9.24 , bci/kiwi:9.24.43 , bci/kiwi:9.24.43-16.6 , bci/kiwi:latest
Container Release     : 16.6
Severity              : important
Type                  : security
References            : 1222044 1230267 1235598 1237172 1237587 1237949 1238315 1239012
                        1239543 1239809 1239909 1240132 1240529 1241020 1241078 1241189
                        1241463 1242060 1242269 1243226 1243887 1243901 1244105 1244509
                        CVE-2025-2588 CVE-2025-29087 CVE-2025-29088 CVE-2025-3277 CVE-2025-46802
                        CVE-2025-6018 CVE-2025-6020 
-----------------------------------------------------------------

The container bci/kiwi was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1456-1
Released:    Wed May  7 17:13:32 2025
Summary:     Security update for sqlite3
Type:        security
Severity:    moderate
References:  1241020,1241078,1241189,CVE-2025-29087,CVE-2025-29088,CVE-2025-3277
This update for sqlite3 fixes the following issues:

- CVE-2025-29087,CVE-2025-3277: Fixed integer overflow in sqlite concat function (bsc#1241020)
- CVE-2025-29088: Fixed integer overflow through the SQLITE_DBCONFIG_LOOKASIDE component (bsc#1241078)

Other fixes:

- Updated to version 3.49.1 from Factory (jsc#SLE-16032)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1527-1
Released:    Fri May  9 17:21:39 2025
Summary:     Recommended update for libsolv, libzypp, zypper
Type:        recommended
Severity:    important
References:  1222044,1230267,1235598,1237172,1237587,1237949,1238315,1239809,1240529
This update for libsolv, libzypp, zypper fixes the following issues:

- Support the apk package and repository format (both v2 and v3)
- New dataiterator_final_{repo,solvable} functions
- Provide a symbol specific for the ruby-version so yast does not break across updates (bsc#1235598)
- XmlReader: Fix detection of bad input streams
- rpm: Fix detection of %triggerscript starts (bsc#1222044)
- RepoindexFileReader: add more <repo> related attributes a service may set
- Drop workaround for broken rpm-4.18 in Code16 (bsc#1237172)
- Drop usage of SHA1 hash algorithm because it will become unavailable in FIPS mode (bsc#1240529)
- Fix zypp.conf dupAllowVendorChange to reflect the correct default (false)
- zypp.conf: Add `lock_timeout` ($ZYPP_LOCK_TIMEOUT) (bsc#1239809)
- Fix computation of RepStatus if Repo URLs change
- Fix lost double slash when appending to an absolute FTP url (bsc#1238315)
- Add a transaction package preloader
- Strip a mediahandler tag from baseUrl querystrings
- Updated translations (bsc#1230267)
- Do not double encode URL strings passed on the commandline (bsc#1237587)
- info,search: add option to search and list Enhances (bsc#1237949)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1534-1
Released:    Mon May 12 18:00:59 2025
Summary:     Security update for augeas
Type:        security
Severity:    low
References:  1239909,CVE-2025-2588
This update for augeas fixes the following issues:

- CVE-2025-2588: Check for NULL pointers when calling re_case_expand in function fa_expand_nocase. (bsc#1239909)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1733-1
Released:    Wed May 28 17:59:52 2025
Summary:     Recommended update for krb5
Type:        recommended
Severity:    moderate
References:  1242060
This update for krb5 fixes the following issue:

- Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:2007-1
Released:    Wed Jun 18 16:03:17 2025
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1239012,1239543,1240132,1241463,1243887,1243901,1244105
This update for libzypp, zypper fixes the following issues:

- Fix credential handling in HEAD requests (bsc#1244105)
- RepoInfo: use pathNameSetTrailingSlash
- Fix wrong userdata parameter type when running zypp with debug
  verbosity (bsc#1239012)
- Do not warn about no mirrors if mirrorlist was switched on
  automatically. (bsc#1243901)
- Relax permission of cached packages to 0644 & ~umask
  (bsc#1243887)
- Add a note to service maintained .repo file entries
- Support using %{url} variable in a RIS service's repo section.
- Use a cookie file to validate mirrorlist cache.
  This patch extends the mirrorlist code to use a cookie file to
  validate the contents of the cache against the source URL, making
  sure that we do not accidentially use a old cache when the
  mirrorlist url was changed. For example when migrating a system
  from one release to the next where the same repo alias might just
  have a different URL.
- Let Service define and update gpgkey, mirrorlist and metalink.
- Preserve a mirrorlist file in the raw cache during refresh.
- Enable curl2 backend and parallel package download by
  default.
  Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1>
  can be used to turn the features on or off.
- Make gpgKeyUrl the default source for gpg keys.
  When refreshing zypp now primarily uses gpgKeyUrl information
  from the repo files and only falls back to a automatically
  generated key Url if a gpgKeyUrl was not specified.
- Introduce mirrors into the Media backends (bsc#1240132)
- Drop MediaMultiCurl backend.
- Throttle progress updates when preloading packages (bsc#1239543)
- Check if request is in valid state in CURL callbacks
- spec/CMake: add conditional build
  '--with[out] classic_rpmtrans_as_default'.
  classic_rpmtrans is the current builtin default for SUSE,
  otherwise it's single_rpmtrans.
  The `enable_preview_single_rpmtrans_as_default_for_zypper` switch
  was removed from the spec file.  Accordingly the CMake option
  ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed.
- BuildRequires:  libzypp-devel >= 17.37.0.
- Use libzypp improvements for preload and mirror handling.
- xmlout.rnc: Update repo-element (bsc#1241463)
  Add the 'metalink' attribute and reflect that the 'url' elements
  list may in fact be empty, if no baseurls are defined in the
  .repo files.
- man: update --allow-unsigned-rpm description.
  Explain how to achieve the same for packages provided by
  repositories.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2013-1
Released:    Wed Jun 18 20:05:07 2025
Summary:     Security update for pam
Type:        security
Severity:    important
References:  1243226,1244509,CVE-2025-6018,CVE-2025-6020
This update for pam fixes the following issues:

- CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226).
- CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2016-1
Released:    Thu Jun 19 09:14:28 2025
Summary:     Security update for screen
Type:        security
Severity:    moderate
References:  1242269,CVE-2025-46802
This update for screen fixes the following issues:

Security issues fixed:
    
- CVE-2025-46802: temporary `chmod` of a user's TTY to mode 0666 when attempting to attach to a multi-user session
  allows for TTY hijacking (bsc#1242269).

Other issues fixed:

- Use TTY file descriptor passing after a suspend (`MSG_CONT`).
- Fix resume after suspend in multi-user mode.


The following package changes have been done:

- glibc-2.38-150600.14.32.1 updated
- libfa1-1.14.1-150600.3.3.1 updated
- libsqlite3-0-3.49.1-150000.3.27.1 updated
- terminfo-base-6.1-150000.5.30.1 updated
- ncurses-utils-6.1-150000.5.30.1 updated
- libudev1-254.24-150600.4.33.1 updated
- libaugeas0-1.14.1-150600.3.3.1 updated
- krb5-1.20.1-150600.11.11.2 updated
- libsolv-tools-base-0.7.32-150600.8.10.1 updated
- libzypp-17.37.5-150600.3.60.1 updated
- zypper-1.14.90-150600.10.34.3 updated
- pam-1.3.0-150000.6.83.1 updated
- screen-4.6.2-150000.5.8.1 updated
- container:registry.suse.com-bci-bci-base-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated

More information about the sle-container-updates mailing list